ISACA Journal
Volume 2, 2,019 


Sponsored Feature: Why Security Product Investments Are Not Working 

Sean Keef 

Enterprises invested in firewalls to keep malicious actors out of the infrastructure. They bought a scanner—better yet, multiple scanners—to keep vulnerabilities on assets from being exploited. Yet attacks still occur. And the security information and event management (SIEM) system that was purchased to rapidly find and fix security issues and mitigate damage reports back a laundry list of items requiring investigation. What is worse, the dream team of security personnel organizations hoped to hire to overcome these issues is increasingly hard to find.

This is the state of affairs in too many enterprise security programs: The goals behind major investments even in best-of-breed products are never fully achieved and the full value of the solution never fully realized, despite lots of money spent and even more at stake.

The reason damaging attacks continue to occur is because of security gaps. These gaps are the deficit between the ideal envisioned when a security solution was purchased and the reality of its success in safeguarding the organization. In the case of firewalls, the gap exists because of difficulty ensuring the security designed in policy is continuously adhered to in the actual network. For scanners, it is because finding and then fixing critical vulnerabilities amid the thousands—or millions—in the enterprise is a losing battle. And for SIEMs, the time it takes to get all the data needed to understand the significance of an indicator of compromise (IOC) makes response times drag on and can waste resources on insignificant issues.

But there is a process to close these gaps, realize the full benefits of existing investments and better secure the organization. And by following this process, enterprises can also reduce the need to hunt for hard-to-find talent. The first step is data.

Good, Clean Data

Data are the foundation of all security programs. Whether processes are performed manually by a small team in the same office or automated by multivendor technology across a global network, all tasks need to be referencing back to comprehensive, fresh data. This means it is necessary to regularly collect data from a variety of sources including:

  • Hybrid infrastructure—Traditional IT, operational technology (OT), and public and private clouds
  • Assets—End point detection and response systems (EDRs), patch management systems, configuration management databases (CMDBs) and homegrown databases
  • Vulnerabilities—Scanners, asset configuration weaknesses and custom vulnerabilities
  • Threat intelligence—Public and private security feeds and analyst research, providing exploitability data and potential solutions

There may be dozens of vendors behind these sources, which is why it is important to normalize and merge the information to create central data repositories that are not product specific, so security posture can be understood—and improved—holistically rather than within a particular vendor silo. At the enterprise scale, such processes must be automated.

Turning Data Into Intelligence

By mixing disparate data sets, enterprises can begin to gain insight from data. For example, correlating syslogs with access control lists (ACLs) can determine unused rules that can be removed from firewalls, optimizing their performance. But it is when data are built into a model that true intelligence can emerge.

Visual, interactive models are not only an ideal testing ground for automated simulations, they are also a queryable environment that can help security teams see and understand risk and how best to eliminate it. By modeling that data outlined previously, organizations can have an actual picture of their attack surface and know the reality of their security status—not the ideal designed in policy or defined in service level agreements (SLAs).

Network modeling is incredibly useful to understand how well firewalls are aligned to policy. Comparing organizational policies against aggregate network access, device configurations, ACLs, network and port address translations (NAT, PAT), and routing rules will identify where changes need to be made to match up to internal security policies, best practices and regulatory mandates. Modeling can also refine vulnerability scan results and remediation priorities by matching vulnerabilities to assets within the infrastructure and potential attack paths. This will identify vulnerable asset exposures—a critical risk—that are simply impossible to find with scanning alone. Similarly, modeling can contextualize SIEM data by revealing the relationship between an asset with an IOC and the surrounding network topology and security controls. Such insight can give security operations center (SOC) personnel knowledge on reachability and how incidents could spread.

In essence, modeling turns centralized data libraries into the single source of truth so desperately needed in enterprise security programs. The data they contain not only provide a singular reference point, but the model itself also lays bare the facts of the attack surface—what it is an organization is trying to protect, from what and what tools are best suited to defend it.

Improving Processes to Reduce Risk

By basing security processes on a complete and single source of truth, organizations can bridge the security gaps plaguing enterprise security and get the full value out of investments already made. Using the model, organizations can proactively assess if firewall changes would cause violations—or expose vulnerable assets—and continuously ensure firewalls meet security standards, even as the network evolves. By modeling vulnerabilities, assets, threat intelligence and attack paths, enterprises can improve patch management by aligning remediation priorities with vulnerabilities most likely to be targeted and reached by an attacker. And when incidents do occur, having an accurate and up-to-date model exponentially reduces the time SOC operators spend on IOC investigations; they now have contextual intelligence at their fingertips, eliminating red herring chases and identifying response options to contain attacks quickly.

Closing security gaps is crucial to reducing risk in an organization, but it also makes business sense as well. These gaps are not caused by technology alone, so investing in yet more point products will do little to improve security status and nothing to increase the return on investment of existing solutions.

Security investments are not working because they are not working together. By integrating and contextualizing data and establishing a single source of truth that all teams, processes and automated workflows can reference, enterprises can realize the full benefit of existing investments, improve their effectiveness and intelligently secure the organization.

Sean Keef
Is the global director of technical product marketing at Skybox Security. He is a security technology professional with a passion for teaching and talent for simplifying difficult technology concepts. His career in networking and security spans three decades and has brought him in contact with a vast array of enterprises in financial, manufacturing, retail and technology. Keef has been with Skybox Security for six years advising customers and serving in various technical roles, including sales engineer, technical educator and technical field consultant.


Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.